data can be accessed when it is needed; and Endnotes threats to confidentiality and integrity concern data being disclosed or changed without the reliant party’s knowledge or approval. Data dependency is a measure of how sensitive a critical infrastructure sector is to the availability, integrity and confidentiality of data flowing between the sectors. More specifically, “dependency” reflects the oneway data-security requirements of one critical infrastructure sector on another. “Interdependency” refers to the bidirectional system of data and information being shared between critical infrastructure sectors (Macaulay 2008).
Defining Dependency in Critical Infrastructure
The metrics and analysis presented here are drawn from earlier work, in which the survey and data collection methodology are documented (ibid.). In sum, more than 100 security and communications executives from all critical infrastructure sectors were asked detailed questions about the sensitivity of information they send and receive from all other critical infrastructure sectors, in order to quantify “inbound” versus “outbound” data dependency. Inbound data dependency is about information and data being delivered to, and consumed by, a critical infrastructure organization. Information and data arrive in the form of voice calls, internet-based business systems and services, and even social media and other employee activities. Inbound dependency, therefore, involves the cyber security properties
of information needed by critical infrastructure organizations to continue the production of goods or services. For instance, how long can a water treatment plant continue to operate safely without information from testing laboratories in the health sector? Inbound data dependency is related to the vulnerabilities of a sector that are caused by interdependency. Outbound data dependency is about information from a given critical infrastructure sector that is sent to other critical infrastructure sectors. Websites are information assets established in part to address outbound data on a self-serve basis. Outbound dependency concerns the security requirements that other, consuming critical infrastructure sectors place on the suppliers of information. To return to the example of the water treatment plant, outbound dependency is concerned with how long the health sector can safely operate without information from the water treatment plant. Outbound dependency concerns the threat that a given critical infrastructure can pose to other critical infrastructure sectors due to interdependency.
The disruption or destruction of critical infrastructure would have an immediate and direct impact on the economic activity, day-to-day life and safety of those affected.
Dependency Matrices A dependency matrix is a means of visualizing the cyber risks associated with critical infrastructure interdependency. The dependency matrix reveals the potential vulnerability of a given critical infrastructure to threats from other critical infrastructure sectors. The table below is an example of a dependency matrix. Both inbound and outbound dependencies are presented through this single tool. Together, inbound and outbound dependence equal “interdependence.”
Dependency Matrix for the 10 Critical Infrastructure Sectors Inbound dependencies (vulnerabilities)
Energy
Communications & IT
Finance
Health Care
Food
Water
Transportation
Safety
Government
Manufacturing
Energy
9.37
3.63
2.48
3.88
2.06
3.08
4.25
3.23
3.36
3.24
Communications & IT
6.96
8.82
4.48
5.11
2.32
3.42
4.41
4.62
3.96
7.08
Outbound dependencies (threats)
Critical Infrastructure sector
Finance
7.13
7.19
8.95
4.23
8.23
5.01
6.78
4.02
5.18
7.96
Health Care
4.12
2.43
2.99
8.25
1.8
4.43
3.33
5.78
5.06
2.57
Food
1.47
1.66
1.94
3.76
6.45
1.83
2.48
1.05
2.71
1.99
Water
4.90
1.84
1.96
3.6
1.3
5.78
3.18
1.20
2.87
2.16
Transportation
6.82
3.95
4.23
4.95
5.06
2.96
7.49
3.78
4.66
5.84
Safety
7.85
3.96
3.6
5.71
1.02
4.54
5.35
8.23
5.73
4.96
Government
5.85
5.05
7
6.12
4.76
5.05
7.61
6.43
8.78
5.96
Manufacturing
5.87
3.75
4.66
5.01
4.5
3.43
4.53
1.17
3.63
7.15
Source: Author. The Danger of Critical Infrastructure Interdependency
71